Juniper Finds Backdoor Exposing Encrypted VPN Traffic

infosec

In a security advisory posted late Thursday, Bob Worrall, Juniper Network’s Chief Information Officer, announced that the ScreenOS software used on the company’s NetScreen firewalls contains an unauthorized backdoor allowing third parties to potentially monitor encrypted VPN traffic.

“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. …  At this time, we have not received any reports of these vulnerabilities being exploited,” Worrall wrote.

Juniper says that ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected should be upgraded immediately to either 6.2.0r19 or 6.3.0r21, as there are no workarounds to disable access. Juniper also says they have no evidence that the their products running their Junos operating system are impacted by this breach.

In another knowledgebase article, Juniper explains what type of logged event may appear on a compromised system, but warns that a skilled attacker would likely be able to clean his tracks and remove the events from the logs.

While it’s not clear who is responsible or how this backdoor was added to the code, many security experts point to a 2013 article published by Der Spiegel that said an NSA operation called FEEDTHROUGH worked specifically against Juniper firewalls and gave the agency persistent backdoor access.

The NSA also had an operation exposed by Edward Snowden in which they intercepted Cisco products, mid-shipment, that were destined for other countries, to install backdoor code directly into those routers, firewalls, etc. However, unlike that operation, if the NSA were to be responsible for the Juniper backdoor, this exploit would be present on any ScreenOS hardware around the world, including within the United States.